Need network policy for intra-namespace only plus ingress controller

I have been struggling to get a network policy in place that does the following:

  • Only allows pods/services within the same namespace to communicate with one another (a pod in namespace A CANNOT talk to a pod in namespace B) - i.e. namespace isolation

  • Allow access from the outside via the ingress controller running in namespace ingress-nginx

My network policy looks like:

kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: bjmtest
spec:
podSelector: {}
policyTypes:

  • Ingress
    ingress:
  • from:
    • namespaceSelector:
      matchLabels:
      name: ingress-nginx
    • namespaceSelector:
      matchLabels:
      name: bjmtest

Basically I want the policy to apply to all pods in the namespace and I want pods with a namespace label “name: ingress-nginx” OR pods with a namespace label “name: bjmtest” to be able to communicate.

What I’m seeing is pod isolation (namespace bjmtest comes up fine and if I exec into one of the pods, I cannot curl services in other namespaces) which is what I want.

But if I try to access any of my ingress routes (kubectl get ingress -n bjmtest), I either sometimes get the service or I get a 504-gateway error.

How can I have namespace isolation while at the same time allowing the ingress rules to work?